A few days after filing the request, Blacker called, asking me to narrow my request since the FOIA office can search emails only "person by person," rather than in bulk. The NSA has more than 30,000 employees.

A former giant corporation employer had a policy that employees could only retain email on their local disks. The Exchange server would erase it within months. That was to prevent a single subpoena or discovery request from finding everything incriminating on one server. (A comment on Fark said that policy was not legally sound as explained to me.)

Elegy:I actually wouldn't be surprised if the NSA keeps the archaic system because it is more difficult to search.

In fact, I wouldn't be surprised if they've got partitions and security measures in place specifically designed to keep people from doing global searches.

Such a system is much more secure in the event of a security breach than one that indexes every single highly classified email sent by every single employee.

Obviously.

Plus, it gives them plausible deniability for all sorts of problems, AND it makes audits an incredible pain in the ass.

I have no doubt that this is entirely true. By design. Especially since I'm sure the really sensitive information is never communicated by email anyway. Too hackable/Snowdenable. Maybe it's done by untraced IMs, or in person, or by smoke signal, but I would be VERY surprised to learn they use something as traceable and quasi-permanent as email.

whistleridge:Elegy: I actually wouldn't be surprised if the NSA keeps the archaic system because it is more difficult to search.

In fact, I wouldn't be surprised if they've got partitions and security measures in place specifically designed to keep people from doing global searches.

Such a system is much more secure in the event of a security breach than one that indexes every single highly classified email sent by every single employee.

Obviously.

Plus, it gives them plausible deniability for all sorts of problems, AND it makes audits an incredible pain in the ass.

I have no doubt that this is entirely true. By design. Especially since I'm sure the really sensitive information is never communicated by email anyway. Too hackable/Snowdenable. Maybe it's done by untraced IMs, or in person, or by smoke signal, but I would be VERY surprised to learn they use something as traceable and quasi-permanent as email.

You've obviously never heard of JWICS. That is the US computer network for top secret and sensitive compartmentalized information.

jaylectricity:How long before Anonymous has a zip file of every email sent by NSA employees?

Depends on how fast the NSA's equipment is, because I'd be willing to believe whoever is already doing this for Anonymous has better equipment than an agency that claims not to be able to do this. (Well okay, they might have good stuff, but they keep it locked up in a hutch in some douchewad's office, next to the picture of him and the marlin he "caught" and the 2nd place golf trophy.)

Its extremely likely that the NSA designs their own email systems with protections that prevent any employee from being able to access other employees emails, for really obvious reasons. Like.. they likely are deleted off the server after being retrieved once, etc.

Alonjar:Its extremely likely that the NSA designs their own email systems with protections that prevent any employee from being able to access other employees emails, for really obvious reasons. Like.. they likely are deleted off the server after being retrieved once, etc.

This is the NSA we're talking about guys.. come on.

OK, I just re-read the article and absolutely none of this applies. I revoke my previous statements.

ZAZ:A few days after filing the request, Blacker called, asking me to narrow my request since the FOIA office can search emails only "person by person," rather than in bulk. The NSA has more than 30,000 employees.

A former giant corporation employer had a policy that employees could only retain email on their local disks. The Exchange server would erase it within months. That was to prevent a single subpoena or discovery request from finding everything incriminating on one server. (A comment on Fark said that policy was not legally sound as explained to me.)

The law requires that these records be maintained for at least three years if it is a publicly traded company.

I don't have a problem with the government spying on other nations. The first satellite photos of other nations allowed us to know what they were up to. We went from having to guess how many missiles and warships they had to knowing exactly how many bombs and warships they had. It allowed the government to know exactly what the military capabilities of their enemies were.

When it comes to the government spying on it's own people without apology, it means that they view us as the enemy, just like they viewed the USSR during the cold war, North Korea, Iran and various other nations. The people we voted into power sees it necessary to spy on it's own people while at the same time spying on nations that it views as dangerous threats. We really need to look past party and start voting against those who support the NSA spying on U.S. citizens.

Serious Black:whistleridge: Elegy: I actually wouldn't be surprised if the NSA keeps the archaic system because it is more difficult to search.

In fact, I wouldn't be surprised if they've got partitions and security measures in place specifically designed to keep people from doing global searches.

Such a system is much more secure in the event of a security breach than one that indexes every single highly classified email sent by every single employee.

Obviously.

Plus, it gives them plausible deniability for all sorts of problems, AND it makes audits an incredible pain in the ass.

I have no doubt that this is entirely true. By design. Especially since I'm sure the really sensitive information is never communicated by email anyway. Too hackable/Snowdenable. Maybe it's done by untraced IMs, or in person, or by smoke signal, but I would be VERY surprised to learn they use something as traceable and quasi-permanent as email.

You've obviously never heard of JWICS. That is the US computer network for top secret and sensitive compartmentalized information.

No, I have. I was trying to be all tinfoil-hat-ish. Maybe I didn't sell it hard enough?

ZAZ:A few days after filing the request, Blacker called, asking me to narrow my request since the FOIA office can search emails only "person by person," rather than in bulk. The NSA has more than 30,000 employees.

A former giant corporation employer had a policy that employees could only retain email on their local disks. The Exchange server would erase it within months. That was to prevent a single subpoena or discovery request from finding everything incriminating on one server. (A comment on Fark said that policy was not legally sound as explained to me.)

That could work as as a policy if there were no overriding regulations for the particular business such as HIPAA.

The trick with document retention policies (DRP) is that you have to get them into effect early in the company's history because once served with a lawsuit, you must preserve documents for discovery.

So that if you were able to set a policy that no mail is kept on the server longer than 30 days AND that no backups of the server nor client systems were done, then you are free to destroy emails.

It's really up to management to decide what the business risk is regarding how much information to archive vs. the exposure. Some CEOs demand every email be kept (only to regret it later) vs those which are aggressive in purging non-critical information.

Once you've been sued and gone through discovery your point of view might radically change.

This is why enterprise email servers like Exchange are preferred because they are built with policy compliance in mind. e.g. turn on "Litigation Hold" for a user and everything on the user is kept even though they are deleting and storing mail. It's all kept at the server regardless of what they do at the mail client.

ALEX I'm getting this from anonymous crypto boards. Daedalus was supposed to beat the old content-recognition problem in surveillance; it was a program that could search all the terabytes of intercepted messages for subversive content.JC DENTON So what happened?ALEX Never panned out, as far as I know. The problem was just too hard. They blew through a lot of taxpayer money but finally had to scrap the whole project.

Most companies would have a hard time. With that many employees, most mail servers run out of hard drive space in no time, so administrators only give employees a very small amount of space on an Exchange server before annoying quota emails start arriving. When that happens, most employees will choose to set up an outlook rule to just move email to a local folder in a possibly encrypted .pst archive file. Now you have ~30000 possibly encrypted files with emails in a non-standard location. To search for bulk terms in e-mail would be no easy task at all when this happens.

Klippoklondike:That FOIA request officer lady has an awesome job. All she has to say is "No, sorry, can't do it" and then make up some bs line that nobody would ever believe. And she gets payed for it.

I have to call bullshiat on that one. I think it is a lie. It is not that hard of a thing to do .... I've done it as part of my job.. "Oh Mr. Email Administrator..." Boss comes in and says there is a subpena... find the information outlined.. - Ok.. soooo.. yeah... I have to search 15k employee mailboxes over from date X to date Y looking for string Z..... "is the data subject to statuary backup, like in 45 CFR 164" I ask? "Yes" I am told just get it done."

/Took me four days, including the retrieval of the backups... but I have the "selected" emails.//There was a lot of overtime...

lohphat:ZAZ: A few days after filing the request, Blacker called, asking me to narrow my request since the FOIA office can search emails only "person by person," rather than in bulk. The NSA has more than 30,000 employees.

A former giant corporation employer had a policy that employees could only retain email on their local disks. The Exchange server would erase it within months. That was to prevent a single subpoena or discovery request from finding everything incriminating on one server. (A comment on Fark said that policy was not legally sound as explained to me.)

That could work as as a policy if there were no overriding regulations for the particular business such as HIPAA.

The trick with document retention policies (DRP) is that you have to get them into effect early in the company's history because once served with a lawsuit, you must preserve documents for discovery.

So that if you were able to set a policy that no mail is kept on the server longer than 30 days AND that no backups of the server nor client systems were done, then you are free to destroy emails.

It's really up to management to decide what the business risk is regarding how much information to archive vs. the exposure. Some CEOs demand every email be kept (only to regret it later) vs those which are aggressive in purging non-critical information.

Once you've been sued and gone through discovery your point of view might radically change.

This is why enterprise email servers like Exchange are preferred because they are built with policy compliance in mind. e.g. turn on "Litigation Hold" for a user and everything on the user is kept even though they are deleting and storing mail. It's all kept at the server regardless of what they do at the mail client.

I wish my company would activate that feature for me. They delete all emails after only 90 days. It's a pain in the ass.

I work in the construction industry; email discovery and archival retrieval is a significant part of my duties.We keep email for 20 years, but we give users a period of time to delete things before automatically archiving it.I can search for and retrieve by almost any parameters from any number of users.I call bullshirt.

Holy cow -- at my last job, we only keept it for eight.... Just the statute of limitations and a little slack beyond that... And if it wasn't something that didn't need to be saved... we would not save it.... We even told employees to avoid email and use encrypted IM for certain things. (...there are a couple of encryption applications that work nicely with various IM clients.)